Tuesday, January 20, 2009

Using a network monitor to “sniff” traffic sent to/from the local machine…

Occasionally you want to sniff some network traffic but the traffic is all local and you find that the network sniffer doesn’t show anything. This is because the traffic doesn’t make it out to the capture drivers, it is redirected internally before it gets that far.

I am working on testing AdMod right now with ADAM on the local machine and sure enough I wanted to see what the actual traffic was so I dug through my old notes on how I accomplished this before. Then I whipped up a perl script to configure it automatically for me on a single IP machine.

The basic concept is to force all of the local traffic out through the network interface. You can do this by changing the routing table for the packets. Specifically, you need to add a new entry for the local IP address with a 32 bit subnet mask directing the traffic to the default gateway with a lower metric than the entry directing the traffic to 127.0.0.1….

Ok… so specifics. Here is the default routing table of my current machine (yes the formatting sucks)

F:\Dev\Perl\SniffLocal>route print

IPv4 Route Table
===========================================================================
Interface List
0×1 ……………………… MS TCP Loopback interface
0×10003 …00 0b db 98 aa e7 …… Broadcom 440x 10/100 Integrated Controller
===========================================================================
===========================================================================
Active Routes:
Network Destination       Netmask         Gateway      Interface Metric
         0.0.0.0         0.0.0.0     192.168.0.2   192.168.0.106    20
       127.0.0.0       255.0.0.0       127.0.0.1       127.0.0.1     1
     192.168.0.0   255.255.255.0   192.168.0.106   192.168.0.106    20
   192.168.0.106 255.255.255.255       127.0.0.1       127.0.0.1    20
   192.168.0.255 255.255.255.255   192.168.0.106   192.168.0.106    20
       224.0.0.0       240.0.0.0   192.168.0.106   192.168.0.106    20
 255.255.255.255 255.255.255.255   192.168.0.106   192.168.0.106     1
Default Gateway:Â Â Â Â Â Â 192.168.0.2
===========================================================================
Persistent Routes:
 None

Â

You will note the entry

   192.168.0.106 255.255.255.255       127.0.0.1       127.0.0.1    20

That keeps the traffic sent to 192.168.0.106 local. I just add an additional entry with the command

route add 192.168.0.106 MASK 255.255.255.255 192.168.0.2 metric 10

Which results in a new table of

IPv4 Route Table
===========================================================================
Interface List
0×1 ……………………… MS TCP Loopback interface
0×10003 …00 0b db 98 aa e7 …… Broadcom 440x 10/100 Integrated Controller
===========================================================================
===========================================================================
Active Routes:
Network Destination       Netmask         Gateway      Interface Metric
         0.0.0.0         0.0.0.0     192.168.0.2   192.168.0.106    20
       127.0.0.0       255.0.0.0       127.0.0.1       127.0.0.1     1
     192.168.0.0   255.255.255.0   192.168.0.106   192.168.0.106    20
   192.168.0.106 255.255.255.255       127.0.0.1       127.0.0.1    20
   192.168.0.106 255.255.255.255     192.168.0.2   192.168.0.106    10
   192.168.0.255 255.255.255.255   192.168.0.106   192.168.0.106    20
       224.0.0.0       240.0.0.0   192.168.0.106   192.168.0.106    20
 255.255.255.255 255.255.255.255   192.168.0.106   192.168.0.106     1
Default Gateway:Â Â Â Â Â Â 192.168.0.2
===========================================================================
Persistent Routes:
 None

Â

Here is some perl code to do it all automatically

print “\nSniffLocal V01.00.00pl Joe Richards (joe\@joeware.net) August 2006\n\n”;
my @out=`ipconfig`;
my @ipa=grep(/IP Address.+/,@out);
my @gwa=grep(/Default Gateway.+/,@out);
my ($ip)=($ipa[0]=~/: (.+)/);
my ($gw)=($gwa[0]=~/: (.+)/);
chop $ip;
chop $gw;
print “IP Address     : $ip\n”;
print “Gateway Address: $gw\n”;
my $routemod=”route add $ip MASK 255.255.255.255 $gw metric 10″;
print “\nCurrent Routing Table\n”;
print `route print`;
print “Route Modification Command: $routemod\n”;
print “Route Modification Output:\n”;
print `$routemod 2>&1`;
print “\nNew Routing Table\n”;
print `route print`;
print “\n”;

So now any traffic the local machine sends to the local IP address will get redirected out to the router. What won’t get routed will be anything sent to localhost, 127.0.01, or the machine’s name (since it will get resolved to localhost). For those you can add entries to the hosts file and force those to the machine’s IP address and those should get redirected as well.I don’t recall when I first started doing this but it has worked for years for me. I am sure it may help at least one of you (y’all) as well.

Thanks: joe Â

0 Responses to “Using a network monitor to “sniff” traffic sent to/from the local machine…”